naval postgraduate school monterey, california · rinald wayne vughn -avail and ior dist special...

NAVAL POSTGRADUATE SCHOOLMonterey, California

AD-A257 449

DTIC,S ELECTE

THESIS .NOV23E

COMPUTER SECURITY CONCEPTS and ISSUESin the INFORMATION TECHNOLOGYMANAGEMENT (370) CURRICULUM

by

Reginald Wayne Vaughn

September 1992

Thesis Co-Advisor: Dr. Tung X. Bui

Thesis Co-Advisor: Roger Stemp

Approved for public release; distribution is unlimited.

92-299o6

UNCLASSIFIEDSECURITY CLASSIFICATION OF THIS PAGE

REPORT DOCUMENTATION PAGE1a. REPORT SECURITY CLASSIFICATION UNCLASSIFIED lb. RESTRICTIVE MARKINGS

2a SECURITY CLASSIFICATION AUTHORITY 3. DISTRIBUTIONWAVAILABILITY OF REPORT2b. DECLAS,1FICATIONIUOWNGRADING SCHEDULE Approved for public release;

distribution is unlimited

4. PERFORMING ORGANIZATION REPORT NUMBER(S) 5. MONITORING ORGANIZATION REPORT NUMBER(S)

TO" NAME OF.PEREORMING ORGANIZATION 6b. OFFICE SYMBOL 7a. NAME OF NITORING ORGANIZATION

Computer tecnology Dept. (itapplicable) Naval Postgraduate SchoolNaval Postgraduate School 376c. ADDRESS (City, State. and ZIP Code) 7b. ADDRESS (City, State, and ZIP Code)

Monterey, CA 93943-5000 Monterey, CA 93943-50

8a. NAME OF FUNDING/SPONSORING 8b. OFFICE SYMBOL 9. PROCUREMENT INSTRUMENT IDENTIFICATION NUMBERORGANIZATION (if applicable)

8c. ADDRESS (City, State, and ZIP Code) 10. SOURCE OF FUNDING NUMBERSPROGRAM PROJECT TASK WORK UNITELEMENT NO. NO. NO. ACCESSION NO.

11. TITLE (Include Security Classification)

COMPUTER SECURITY CONCEPTS and ISSUES in the INFORMATION TECHNOLOGY MANAGEMENT

ýha P I L A .U TI, •(augn, eginal¶ wayneaster T s b.EOERED 14. DATE OF REPORT (Year, A#Onth. Day) 1 04

M .ster .e'si s I "From 09/91 To 09/92 September 199216. SUPPLMENTARY NOTATIOThe views expressed in this thesis are those of the author and do not reflect the officialpolicy or position of the Department of Defense or the United States Government

17. COSATI CODES 18. SUBJECT TERMS (Continue on reverse it necessary and identify by block number)

FIELD GROUP SUB-GROUP

19. ABSTRACT (Continue on reverse if necessary and identify by block number)DoD has become increasingly dependent upon storing its sensitive information in electronic form and has a deep

concern for the integrity and privacy of this valuable information. In the recent aftermath of numerous electronic

break-ins, the DoD continues to express anxiety over technically weak system administrators' inability to protect

sensitive electronic information.

The solution to minimizing these electronic intrusions and bolstering computer security in DoD is to educate

military officers and federal civilians in the methods of computer security. This can be accomplished by integrating

concepts and problem solving techniques related to computer security into the Information Technology Management

(370) Curriculum at the Naval Postgraduate School.

20. DISTRIBUTION/AVAILABILITY OF ABSTRAGT 21. ABSTRACT SECURITY CLASSIFICATION[3UNCLASSIFIED/UNLIMITED []SAME AS RPT. [] DTIC USERS UNCLASSIFIED

ft AM PN E NDVJDAp 22b TELgP ONElInclude Area Code) 11I Sang1•I ungk A.Tlui aria Koger Stemp

DO FORM 1473, 84 MAR 83 APR edition may be used until exhausted SECURITY CLASSIFICATION OF THIS PAGEAll other editions are obsolete UNCLASSIFIED

i

UNCLASSIFIEDSECURITY CLASSFICATION OF THiS PAGE

[11] Continued: (370) Curriculum

V

S

SECURITY CLASSIFICATION OF THIS PAGE

UNCLASSUFIEDii

Approved for public release; distribution is unlimited

COMPUTER SECURITY CONCEPTS and ISSUES in the INFORMATIONTECHNOLOGY MANAGEMENT (370) CURRICULUM

byReginald Wayne Vaughn

Lieutenant, United States NavyB.S., Lamar University, 1983

Submitted in partial fulfillment of therequirements for the degree of

MASTER OF SCIENCE IN INFORMATION SYSTEMS

Accesion For

from the NTIS CRA&MDTIC TAB

NAVAL POSTGRADUATE SCHOOL UnannouncedSeptember 1992 Justificaton.......................

By .................

Author: Distribution I

9 ca wgd." )_e% 2,,• i Availability CodesRinald Wayne Vughn - Avail and Ior

Dist Special

Approved By: _ __ _-/Dr.Tung X. Bul, Co-Advisor

RoerSen -Advisor It

)2ývid R. Whip~ple, Chairman,Department of Administrative Sciences

iii

ABSTRACT

DoD has become increasingly dependent upon storing its sensitive informa-

tion in electronic form and has a deep concern for the integrity and privacy of

this valuable information. In the recent aftermath of numerous electronic

break-ins, the DoD continues to express anxiety over technically weak system

administrators' inability to protect sensitive electronic information.

The solution to minimizing these electronic intrusions and bolstering

computer security in DoD is to educate military officers and federal civilians

in the methods of computer security. This can be accomplished by integrating

concepts and problem solving techniques related to computer security into the

Information Technology Management (370) Curriculum at the Naval

Postgraduate School.

iv

TABLE OF CONTENTS

I. INTRODUCTION ................................................. 1

A. RATIONALE AND PURPOSE OF THESIS ........................ 1

B. SUMMARY OF CONTENTS ..................................... 3

HI. COMPUTER SECURITY AND DOD ................................. 5

A. WHAT IS COMPUTER SECURITY? .............................. 5

B. DOD'S INTEREST IN COMPUTER SECURITY ..................... 6

1. 1989 U.S. General Accounting Office Report ................... 6

2. 1991 U.S. General Accounting Office Report .................... 7

3. Computer Security Climate ................................... 9

C. THE NEED FOR COMPUTER SECURITY PROFESSIONALS ........ 9

EI9. CULTIVATING COMPUTER SECURITY IN DOD ..................... 10

A. SECURITY RELATED LEGISLATION .......................... 10

1. NTISSP 200 ............................................. 10

2. Computer Security Act of 1987 .............................. 13

B. FORMAL COMPUTER SECURITY EDUCATION ................. 13

IV. ANALYTICAL METHODS ........................................ 16

A. LITERATURE REVIEW ....................................... 16

B. LOGICAL COURSE GROUPINGS ............................... 17

C. INTERVIEWS WITH NPS FACULTY ............................ 18

D. INTERVIEWS WITH DOD ADP MANAGERS .................... 18

E. COURSE ANALYSES ......................................... 19

V. SUMMARY OF FINDINGS ........................................ 20

VI. RECOMMENDATIONS ........................................... 23

VII. CONCLUSION ................................................ 30

APPENDIX A Information Systems Courses ............................ 31

APPENDIX B Computer Science Courses .............................. 52

V

APPENDIX C Electro-Optical and Communication Courses ................ 73

LIST OF REFERENCES ................................................ 94

INITIAL DISTRIBUTION LIST .......................................... 96

vi

L INTRODUCTION

A. RATIONALE AND PURPOSE OF THESIS

In 1986, Cliff Stoll, an astronomer-turned-system administrator at

Lawrence Berkeley Laboratory, attracted international attention by tracing a

75 cent computer system accounting error to a West German hacker stealing

military documents and selling them to the KGB. Although the hacker was not

a brilliant programmer, he was persistent. By exploiting security deficiencies

in operating systems, lax password security, and poor system management,

the hacker managed to attack over 450 computers attached to MILNET,

successfully penetrating 30. The hacker persistently attacked computers

located at military bases, defense contractors, and universities, searching files

for keywords like KH- 11, SDI, and NUCLEAR. [Ref. 1]

On the evening of November 2, 1988, Robert T. Morris, a Cornell

graduate student unleashed a worm on the Internet. Within hours

approximately 3,000 Sun and VAX workstations running variants of the

Berkeley Standard Distribution 4.3 UNIX operating system fell victim to the

worm. Although the worm, innocuous in the sense that it did not destroy files

or alter information, did however propagate uncontrollably, overwhelming

system resources. [Ref. 2]

Between April 1990 and May 1991, foreign hackers penetrated 34

Department of Defense (DoD) computers including one system that directly

supported Operation Desert Shield / Storm. The hackers gained access to

sensitive military computers by exploiting well known flaws in operating

systems, weaknesses in the Trivial File Transfer Protocol (TFTP) and

accounts with easily guessed passwords. [Ref. 3]

1

DoD has become increasingly dependent upon storing its "sensitive

information" in electronic form and naturally there is a deep concern for the

integrity and privacy of this valuable information. In the aftermath of

numerous electronic intrusions, many questions have been raised regarding

the lack of computer security and the abundance of computer system

vulnerabilities.

One predominate factor linked to these "electronic break-ins" is

system administrators who are not formally educated in computer

security. Although highly publicized stories of "electronic break-ins",

worms, and viruses have made some system administrators more security

conscious, awareness of the problem is not enough. [Ref. 4]

The phenomenon of widespread electronic intrusion is veryrecent. It is made possible by the proliferation of personalcomputers and their connection to electronic networks. Althoughtechnically sophisticated, intrusions are always the acts of humanbeings. Intrusions can be controlled by a combination oftechnical safeguards -- a sort of network immune system -- andhygienic procedures for using computers. But they cannot beeliminated.

It would seem that some straightforward technological fixeswould greatly reduce future threats. But technological fixes arenot the final answer; they are valid only until someone launchesa new kind of attack. [Ref. 5]

The solution to minimizing these electronic intrusions and bolstering


in the methods of computer security. This can be accomplished by integrating

concepts and problem solving techniques related to computer security into the

Information Technology Management (370) Curriculum at the Naval

Postgraduate School.

2

The following describes DoD's anxiety about system administrators'

inability to safeguard electronic information, and proposes several cost

efficient avenues to enhance the training of computer security in the

Information Technology Management (370) Curriculum. This thesis will also

serve as a computer security reference vehicle to facilitate faculty members in

modifying their courses to encompass relevant security issues.

B. SUMMARY OF CONTENTS

This thesis contains seven chapters and three appendices, the following is

a summary of the contents:

Chapter I Introduction acquaints the reader with three highly

publicized electronic break-ins and highlights DoD's anxiety about

technically weak system administrators' inability to protect sensitive

electronic information.

Chapter II Computer Security and DoD briefly describes what

computer security is and what it entails. Introduces two U.S. Government

Accounting Office (GAO) perceptions of system administrators, the current

"local" computer security climate, and the need for computer security

professionals.

Chapter HI Cultivating Computer Security in DoD describes laws,

acts, and technical publications that directly impact computer security within

DoD. Proposes modifying an academic program at the Naval Postgraduate

School to ameliorate DoD's computer security problems.

Chapter IV Analysis Methods describes the procedures and resources

used in this thesis.

3

Chapter V Summary of Findings summarizes the thesis research

findings and the strengths and weaknesses of the current 370 Curriculum.

Chapter VI Recommendations describes in detail seven

recommendations for improving computer security.

Chapter VII Conclusion; opinions.

Appendix A Information Systems Courses reflects the comparison of IS

courses with the (ISC)2 information security certification format.

Appendix B Computer Science Courses reflects the comparison of CS

courses with the (ISC)2 information security certification format.

Appendix C Electro-Optical and Communication Courses reflects the

comparison of EO and CM courses with the (ISC)2 information security

certification format.

List of References lists the sources of information used.

4

IL COMPUTER SECURITY AND DOD

A. WHAT IS COMPUTER SECURITY?

In the aftermath of numerous "electronic break-ins" to sensitive

government computers, the DoD has become acutely aware of its computer

security inadequacies. In light of these recent events one must ponder the

question, what exactly is computer security and what does it entail?

Computer security is far more reaching than just protecting information

systems from "electronic break-ins".

Computer security is concerned with identifyingvulnerabilities in systems and in protecting against threats tothose systems .... many computer users still don't reallyunderstand what computer security is--and why it should beimportant to them. Computer security protects your computerand everything associated with it--your building, your terminalsand printers, your cabling, and your disks and tapes. Mostimportantly, computer security protects the information you'vestored in your system. That's why computer security is oftencalled information security. [Ref. 6]

"Every computer system is vulnerable to attack". [Ref. 7] In order to

protect this valuable information, first determine where the system is

susceptible to intrusion, attack, or environmental danger. Once you have

discovered the system's vulnerabilities, appropriate preventative measures

can be taken. Typical areas of concern include:

Physical Vulnerabilities: Your buildings, your computer siteand the associated peripherals are vulnerable. One of the primaryfunctions of physical security is to restrict unauthorized access tothe computer site and provide protection from damage caused bynatural disasters. "Physical security methods include oldfashioned locks and keys, as well as more advanced technologieslike smart cards and biometric devices."[Ref. 8]

5

" Natural Disasters, such as fire, floods, earthquakes, and otherdangers due to natural forces can cause irreparable damage tocomputer equipment and even worse, a loss of valuableinformation. Although natural disasters are not preventable, stepscan be taken to minimize the severity of the damage.

" Software Vulnerabilities: Worms, viruses, trapdoors, and evensimple bugs can open the system to electronic intruders.

" Human Vulnerabilities: "The people who administer and useyour computer system represent the greatest vulnerability of all.The security of your entire system is often in the hands of asystems administrator." If that administrator is not properlytrained or is unable to safeguard valuable electronic information,the system could be exploited and subjected to electronicterrorism or vandalism. [Ref. 9]

B. DOD'S INTEREST IN COMPUTER SECURITY

1. 1989 U.S. General Accounting Office Report

DoD has become increasingly dependent upon storing its "sensitive

information" in electronic form and naturally there is a deep concern for the

integrity and privacy of this valuable information.

Network intruders--some would call themselves explorers orliberators--have found ways of using networks to dial into remotecomputers, browse through their contents, and work their wayinto other computers. They have become skilled at cracking thepassword protocols that guard computers and adept at trickingthe operating systems into giving them superuser or systemmanager privileges. They have also created worm and virusprograms that can carry out these actions unattended andreplicate themselves endlessly--electronic surrogates that canprowl the network independent of their creators. As electronicnetworking spreads around the globe, making possible newinternational interactions and breaching barriers of language andtime, so rise the risks of damage to valuable information and theanxiety over attack by intruders, worms, and viruses. [Ref. 10]

6

Representative Edward J. Markey, Chairman of the Subcommittee on

Telecommunications and Finance (House Committee on Energy and

Commerce), recognizing the devastating impact a malicious "Internet type"

worm could have on DoD computers, asked the U.S. General Accounting

Office (GAO) to conduct an intensive investigation focusing on DoD's

inherent vulnerabilities regarding computer security. [Ref. 11]

Hackers have been accessing and continue to gain access to sensitive

networked DoD computer systems by exploiting system weaknesses. One of

the most prevalent weaknesses mentioned in the 1989 GAO report was

that host computer site system managers were technically weak and

practiced poor security management techniques. The report states:

Host computers are frequently administered by systemsmanagers, typically site personnel engaged in their own research,who often serve as systems managers on a part-time basis.

A number of Internet users, as well as NCSC and DefenseCommunications Agency virus reports, stated that the technicalabilities of systems managers vary widely, with many managerspoorly equipped to deal with security issues, such as the Internetvirus. For example, according to the NCSC report, many systemsmanagers lacked the technical expertise to understand that a virusattacked their systems and had difficulty administering fixes.The report recommended that standards be established anda training program begun to upgrade systems managerexpertise. [Ref. 12]

2. 1991 U.S. General Accounting Office Report

On November 20, 1991 Jack L. Brock Jr., Director of Government

Information and Financial Management Issues (Information Management and

Technology Division) gave testimony before the members of the Senate

7

Subcommittee on the vulnerabilities of DoD computer systems penetrated

during Operation Desert Shield / Storm. Mr. Brock stated:

Hackers continue to successfully exploit security weaknessesand undermine the integrity and confidentiality of sensitivegovernment information.

Between April 1990 and May 1991, computer systems at 34DoD sites attached to the Internet were successfully penetratedby foreign hackers. The hackers exploited well-known securityweaknesses--many of which were exploited in the past by otherhacker groups. These weaknesses persist because of theinadequate attention to computer security, such as passwordmanagement, and the lack of technical expertise on the parl ofsome system administrators--persons responsible for thetechnical management of the system.

At many of the sites the hackers had access to unclassified,sensitive information on such topics as (1) military personnel--personnel performance reports, travel information and personnelreductions; (2) logistics--descriptions of the type and quantity ofequipment being moved: and (3) weapons systems developmentdata.

Although such information is unclassified, it can be highlysensitive, particularly during times of international conflict.Some DoD and government officials have expressed concern thatthe aggregation of unclassified, sensitive information couldresult in the compromise of classified information.

...system administration duties are generally part-timeduties and that administrators frequently have littlecomputer security background or training. [Ref. 13]

Both GAO reports express DoD's anxiety about system

administrators' lack of technical expertise and their inability to safeguard


8

3. Computer Security Climate

To obtain a feel for the "local" computer security climate, interviews

were conducted with the System Administrator/Automated Data Processing

(ADP) Managers at two central California military installations to determine

their computer security backgrounds and training. Research revealed that the

system administrators received little if any formal education in the arena of

computer security. For example, one of the ADP Manager's entire formal

training consisted of a two day computer security Course in San Francisco

[Ref. 14]. The other ADP Manager had not received any type of formal

computer security training to date [Ref. 15].

C. THE NEED FOR COMPUTER SECURITY PROFESSIONALS

It is imperative that the concepts and issues of computer security be

addressed if our goal is to protect the privacy, integrity and availability of

sensitive government information from forms of electronic vandalism and

terrorism. To accomplish this goal, attention must be focused on establishing

an education program that will provide system administrators with the

technical expertise to understand, administer, and make knowledgeable,

informed decisions with regard to computer security.

9

IlL CULTIVATING COMPUTER SECURITY IN DOD

A. SECURITY RELATED LEGISLATION

Since the late 1950s, federal agencies have become increasingly

concerned over the protection of sensitive electronic information. This

concern has spawned numerous pieces of legislation aimed at security. Two

recent pieces of legislation, the National Telecommunication and Information

Systems Security Publication 200 (NTISSP 200) and the Computer Security

Act of 1987, have had a profound impact on the delegation of computer

security practices in DoD.

1. NTISSP 200

National Telecommunication and Information SystemsSecurity Publication 200 (National Policy on Controlled AccessProtection) defined a minimum level of protection for computersystems operated by Executive branch agencies and departmentsof the U.S. Government. The policy applies to any systemaccessed by multiple users who do not all have the sameauthorization to use all of the classified or sensitive unclassifiedinformation processed or maintained by the system. NTISSP 200stated that within five years of publication (i.e., by September of1992), the systems affected by the policy must provideautomated Controlled Access Protection (CAP) for all classifiedand sensitive unclassified information at the C2 level of trustdefined in the Orange Book.' [Ref. 16]

The Orange Book is a technical publication, part of the Rainbow Series2,

which defines trusted computer system evaluation criteria for systems

requiring multiple levels of security. There are four basic divisions of trust,

1. Department of Defense Trusted Computer System Evaluation Criteia, Department of Defense Stan-dard (DOD 5200.28-STD) Library Number S225.711, December 1985.

2. A series of technical computer security books published by the National Computer Security Center,each with a different colored covering, hence the name "Rainbow Series"

10

with each division further subdivided into one or more distinct classes. Each

class is denoted with a number, where the higher numbers indicate a greater

degree of security [Ref. 17]. In increasing order of trust, from lowest to

highest, the classes are:

"* D Minimal Protection

" Cl Discretionary Security Protection

" C2 Controlled Access Protection

"B 1 Labeled Security Protection

" B2 Structured Protection

"* B3 Security Domains

"* Al Verified Design

How do you rate each of the aforementioned classes, and what are the

associated requirements to achieve this rating?

Each class is defined by a specific set of criteria that a systemmust met to be awarded a rating for that class. The criteria fallinto four general categories: security policy, accountability,assurance, and documentation. [Ref. 18] Table 1 compares theOrange Book evaluation classes, showing the specific featuresrequired for each class and, in general terms, how requirementsincrease from class to class. [Ref. 19]

11

Table 1: TRUSTED COMPUTER SYSTEM EVALUATION CRITERIACl C2 BI B2 B3 Al

Discretionary Access Control

Object Reuse

Labels

Label Integrity

Exploitation of Labeled Information

Exploitation of Multilevel Devices

Labeling Human-Readable Output

Mandatory Access Control

Subject Sensitivity LabelsDevice Labels

Identification and Authentication

Audit

Trusted Path

System Architecture

System Integrity

Security Testing

Design Specification and Verification

Covert Channel Analysis

Trusted Facility Management

Configuration Management

Trusted Recovery

Trusted Distribution

Security Features User's Guide

Trusted, Facility Manual

Test Documentation

Design Documentation

New or enhanced requirements for this class

No additional requirements for this class

m No requirements for this class

12

2. Computer Security Act of 1987

The Computer Security Act of 1987 holds each federal agency

accountable for identifying computer systems that utilize sensitive data. The

act also requires civilian, military, government employees, and others who

directly interact with systems containing sensitive information to receive

computer security training commensurate with their level of access. [Ref. 9]

Since the government has over 50,000 sensitive systems, a new stock

of questions emerge. Who will train this multitude of individuals needed to

operate these systems, to what extent will they be trained, and how will their

computer security training benefit the DoD?

B. FORMAL COMPUTER SECURITY EDUCATION: TOWARD A

CERTIFICATION FORMAT

System administrators are chronically considered the weak link in

the computer security chain. Their lack of formal and technical education in

the arena of computer security is a dangerous situation, but this situation can

be rectified.

The Naval Postgraduate School (NPS) in Monterey, California, an

institution dedicated to providing graduate level academic programs to meet

the increasing technological and professional needs of the DoD, offers a viable

solution. The Information Technology Management (370) Curriculum, an

eight quarter interdisciplinary program of study, is designed to provide

officers and federally employed civilians with a strong knowledge of

information systems, emphasizing computer and telecommunication systems.

With minor modifications and a moderate injection of computer security

concepts and issues, the Information Technology Management (370)

13

Curriculum can become a beneficial vehicle for producing more

knowledgeable and competent computer security "professionals". The

modified curriculum can greatly contribute towards combating DoD's

computer security problems.

There are individuals in the computer industry who market themselves as"security professionals", but without the sanction of any recognized certifying

group. A few certification programs lightly touch on security issues, but to

date, there is no certification program dedicated totally to the issues of

information security. [Ref. 20]

The International Information Systems Security Certification

Consortium-- or (ISC)2 for short-- was created to develop acertification program for information systems securitypractitioners. In November 1988, the Special Interest Group forComputer Security (SIG-CS) of the Data ProcessingManagement Association (DPMA) brought togetherorganizations who were interested in creating a certificationprogram for this community of specialists. The cooperatingorganizations include the Data Processing ManagementAssociation (DPMA), Information Systems Security Association(ISSA), Idaho State University, the National Security Agency(NSA), and the Computer Security Institute (CSI). Other groups--including the Canadian and U.S. Governments, the CanadianInformation Processing Society (CIPS), and the InternationalFederation for Information Processing (IFIO) have beenrepresented at meetings and have been invited to participate.Representation from other interested and qualified bodies,including IEEE and ACM, is under consideration. [Ref. 21]

In 1991 (ISC)2 proposed the first formal certification program for

computer security professionals. This certification reflects the current thought

and future expectations of distinguished experts in the computer security field.

[Ref. 22]

14

By extracting the (ISC)2 certification format and injecting these concepts

and issues into the existing 370 Curriculum, a new, enhanced curriculum will

metamorphose. In this fast changing climate of high-technology, this

curriculum will ensure the military has an ample supply of these top-level

managers and supervisors who possess a solid background in the area of

computer security.

15

IV. ANALYTICAL METHODS

The purpose of this thesis is to determine if relevant computer security

concepts and issues were being addressed in the Information Technology

Management (370) Curriculum and make recommendations to improve

course content and the Curriculum. In order to determine which concepts and

issues were considered relevant and if they were being addressed, several

methods were employed:

" Literature review (including academic and DoD publications oncomputer security).

"* Interviews with DoD ADP Managers.

" Interviews with faculty from the Computer Science,Administrative Sciences, and the Electrical and ComputerEngineering Departments.

"* Micro analysis of the 370 Curriculum from the viewpoint of

computer security, utilizing the (ISC)2 certification format.

A. LITERATURE REVIEW

Initially, a comprehensive literature review was conducted to become

familiar with the current computer security atmosphere and to form a

knowledge base for further research. The computer library located in the

Naval Postgraduate School's Ingersoll Hall, is a cornucopia of computer

information. Some of the reference material utilized to assimilate information

for the knowledge base includes;

"* Government Publications: The "Rainbow Series", FederalInformation Processing Standards Publications (FIPS PUBS)and Government Accounting Office Reports (GAO)

"* Electronic Newsgroups: alt.security, comp.risks, comp.virus

16

* Anonymous File Transfer Protocol (FTP): Several documentswere retrieved electronically from these addresses:certsei.cmu.edu, cu.nih.gov, cs.purdue.edu.

* Computer Security Books: Computers under Attack: Intruders,Worms and Viruses by Peter Denning, Security in Computing byCharles Pfleeger, Computer Security Basics by Deborah Russelland G.T. Gangemi Sr., and Computer Security Handbook byRichard Baker.

* Computer Security Professional Certification Format:International Information Systems Security CertificationConsortium (ISC) 2 is the format used to evaluate each course inthe 370 Curriculum. The result of the evaluation is reflected inAppendices A, B, and C.

Once the information from the literature review was assimilated, and a

through knowledge of computer security established. This newly gained

knowledge base, along with the (ISC)2 certification format was used as a tool

to interview NPS faculty members.

B. LOGICAL COURSE GROUPINGS

To analyze the 370 Curriculum, it was necessary to segregate the courses

into the following logical course groupings; Communications (CM),

Computer Science (CS), Electro-Optical (EO), Information Systems (IS),

Management (MN), Operations Science (OS), Mathematics (MA), and Naval

Science (NS). Research revealed the MN, OS, MA, and NS courses were

sufficiently devoid of the information applicable to computer security. Four

course groupings: IS, CS, CM and EO were selected for analysis because

they contained the bulk of the technical material in the 370 Curriculum and

relate to computer systems. Once the areas for analysis were selected, the

experts were interviewed.

17

C. INTERVIEWS WITH NPS FACULTY

Faculty members representing the Computer Science, Administrative

Science, and the Electrical and Computer Engineering departments were

individually interviewed. Each interview revolved around four main issues:

"* To what extent did the course address computer securityconcepts and issues?

"* If the concepts and issues were not addressed, how easy wouldit be to incorporate the (ISC)2 format into the course?

"* If the concepts and issues were addressed, how close did thecontent adhere to the (ISC) 2 format?

* If there were shortcomings in the amount of computer securityissues addressed, where could improvements be made?

Each emphasis area course within its respective department was reviewed

for computer security related concepts or issues. Faculty members were

encouraged to offer their opinions as to how the courses could be modified to

adhere to the (ISC)2 certification format.

D. INTERVIEWS WITH DOD ADP MANAGERS

Interviews were conducted with the System Administrator/Automated

Data Processing (ADP) Managers at two central California military

installations to determine their computer security backgrounds and training.

Interview questions focused on;

"* Personal Education: Did the individual have any previouscomputer experience, if so what type, and how much?

"* Training: What type of computer security training had theyreceived? What actions were taken to increase the staff'sawareness of computer security? What type of guidance did theyreceive (e.g. local instructions, Navy instructions, laws, etc...).

18

What were their future plans to increase computer security and

computer security awareness at their site?

E. COURSE ANALYSES

Four logical course grouping areas of the 370 Curriculum; Information

Systems, Computer Science, Communications and Electro-Optical were

analyzed. Each course in the respective logical course grouping was

scrutinized for relevant computer security issues using the (ISC)2 certification

format as a cross-reference. Each course fell into one of three categories,

either the subject was addressed, the subject was not addressed but needs

to be, or the subject was not relevant to the course.

19

V. SUMMARY OF FINDINGS

Both the 1989 and 1991 GAO reports discussed in chapter 2,express

DoD's anxiety about technically weak system administrator's inability to

protect sensitive electronic information. Both reports recommend a formal

training program be established to strenghten system administrator's

knowledge of computer security.

Interviews with local ADP managers support the GAO's findings that

system administrators receive little if any formal computer security training.

Although only a small portion of the ADP manager population was sampled,

it was evident that formal computer security training had not been a

prerequisite for the position.

Faculty interviews along with course analyses indicate only one course,

CS 4601 Computer Security, adheres closely to the (ISC)2 certification

format, and that computer security concepts and issues are sparse in other

courses of the 370 Curriculum. Of the 298 topic items identified by the (ISC)2

certification format, 165 items are addressed in CS 4601 Computer Security,

37 items are addressed in IS 4200 System Analysis and Design, 10 items are

addressed in CM 3112 Navy Telecommunications Systems, and 6 items in CS

2970 Structured Programming with Ada. Those courses that actually

addressed computer security concepts or issues are highlighted in the current

370 Curriculum matrix shown in Table 2.

20

Table 2: CURRENT INFORMATION TECHNOLOGY MANAGEMENT (370)CURRICULUM

1 stIS 2000 (3-1 ~ (') s30 41) MN 21SS5(4-0Quarter Introduction to Computer Statistical Analysis for Accounting for

Management AsMaagement Management

2 nd CS 3030 (4-0) MA 1248 (4-1) OS 3004 (S-0) MN 310S (4-0)Quarter Computer Architecture Selected Topics in Operations Research for Organization and

and Operating Systems Applied Mathematics Computer Systems ManagementManagers

3 rd14204 EO 2710 (4-2) IS 4183 (4-1) IS 3170 (4-0)Quarter 5ybA u~ Commr Systems 1: Applications of Economic Evaluation of

I~iEtAnalog Signals and Datahase Management Information Systems ISystems Systems

4 th IS 3020 (3-2) EO 2750 (4-2) IS 4185 (4-1) IS 3171 (4-0)Quarter Software Design Comm Systems II: Decision Support Economic Evaluation of

Digital Signals and Systems Information Systems 11Systems

S th IS 4300 (4-0) EO 3750 (4-0) IS 3502 (4-0) ........Quarter Software Engineering Communications Computer Networks: ...........

and Management System Analysis Wide Area ILocal Area_ _ ...........

6 th MN 4125 (4-0) NS 3252 (4-0) IS 4502 (4-0) is 0810(0)Quarter Managing Planned Joint and Maritime Telecommunications Thesis Research for

Change in Complex Strategic Planning Networks Information TechnologyOrganizations Management Studenta

7 th MN 3154 (4-0) S 6 (4) MN 3307 (4-0) is 0810 (0-0)Quarter Financial Management in fiytanI ADP Acquisition, Thesis Researchs for

the Amed Frcesinformation Techmologythe Amed orce ManaementStudessts

8 ti IS 4182 (4-0) Elective is 0810 (0-0) is 0810 (0-0)Quarter Information Systems Th'lesis Research for Thesis Research for

Management Information Technology Information TechnologyManagement Students Management Studemt

For a detailed analysis of how well each course paralleled the relevant

computer security concepts in (ISC9 certification format see the following

appendices. [Ref. 20]

"* APPENDIX A Information Systems Courses

"* APPENDIX B Computer Science Courses

"* APPENDIX C Electro-Optical and Communication Courses

21

In order to help decipher the appendices, a small sample is provided in

Table 3.

Table 3: APPENDIX LEGEND

A. Development of aSecurity Program -- I I I I I [

1. Reason for a organizational security management policy [

a. Objectives

1. Identify sensitive systems/data

2. Security plan

3. Tr•ining

EThe concept or issue is currently addressed.

*The concept or issue is not currently addressed, but needs to be.

WThe concept or issue is not relevant to the course.

22

VI. RECOMMENDATIONS

Research indicates that the current 370 Curriculum needs a moderate

injection of additional computer security topics to emulate the (ISC)2

certification format. Several recommendations for modifying the 370

Curriculum follow:

Recommendation 1: Modify the 370 Curriculum to allow students

to specialize in a particular area of interest. The curriculum would be divided

into three subspecialty areas called "Emphasis Tracks" as follows:

"* Computer Security Emphasis Track

"* Telecommunications Networks Emphasis Track

"* Information Resource Management Emphasis Track

Each "Emphasis Track" would have one or more mandatory required

courses and a variety of elective courses to choose from. The 370 Curriculum

currently provides only one elective choice for students. The flexibility of

being able to select from a variety of elective courses would allow the

individual to tailor the curriculum to their particular field of interest. To

promote this flexibility, two additional elective slots can be realized with the

elimination of MN 4125 (Managing Planned Changed in Complex

Organizations) and IS 3171 (Economic Evaluation of Informations Systems

1I). Examples of each Emphasis Track are provided below:

a. Computer Security Emphasis Track

Required Courses:

IS 3220 - Computer Center Management

IS 4xxx3 - Risk Analysis and Disaster Recovery Planning

23

Elective Courses:

CS 4602 - Advanced Computer Security

IS 3000 - Distributed Computer System

IS 3503 - Micro-Computer Networks

IS 4184 - Information Resource Management in DoN/DoD

IS 4186 - Knowledge-Based Systems and Artificial Intelligence

MN 4125 - Managing Planned Change in Complex Organizations

OS 3404 - Man-Machine Interaction

b. Telecommunications Networks Emphasis Track

Required Course:


Elective Courses:




IS 4xxx - Risk Analysis and Disaster Recovery Planning



c. Information Resource Management Emphasis Track

Required Courses:


Elective Courses:



3. IS 4xxx Risk Analysis and Disaster Recovery Planning is a course that would have to be developed.

24


IS 4xxx - Risk Analysis and Disaster Recovery Planning


MN 4105 - Management Policy


Recommendation 2: Eliminate the IS 3171 (Economic Evaluation

of Informations Systems ID, MN 3154 (Financial Management in the Armed

Forces), and MN 4125 (Managing Planned Changed in Complex

Organizations) courses from the 370 Curriculum and replace them with

emphasis track electives. Split the CS 3030 Computer Architecture and

Operating Systems course into two courses. One course would consist of

primarily computer architecture, CS 3010, and the other course would consist

primarily of operating systems, CS 3030.

The benefit of splitting the current CS 3030 Computer Architecture and

Operating Systems course into two separate course will allow the instructors

more time to present the material in greater detail as well as inject more

security related issues. The only benefit of not splitting CS 3030 is that it

would make room for a fourth Track Elective. Two curriculum matrices are

shown in Tables 4 and 5. Table 4 reflects CS 3030 being split and Table 5

reflects CS 3030 not being split.

25

Table 4: MATRIXK WITH IS 3171, MN 31549, AND MN 4125ELIMINATED AND CS 3030 SPLIT

1 At IS 2000 (3-1) CS 2970 (4-1) 0S53101 (4-1) MN 2155 (4-0)Quarter Introduction to Computer Structured Programming Statistical Analysis for Accounting for

Muaaganent with Ada Management Manaigement

2nad CS 3010 (4-0) MA 1248 (4-1) OS 3004 (5-0) MN 310S5(4-0)Quarter Computer Architecture Selected Topics in Operations Research for organization and

Applied Mathematics Computer system ManagementManagers

3 rd IS 4200 (4-0) EO 2710 (4-2) IS 4183 (4-1) IS 3170 (4-0)Quarter System Analysis and Comm Systems 1: Applications of Economic Evaluation of

Design Analog Signals and Database Management Information Systems ISystems Systems

4 th IS 3020 (3-2)) EO 2750 (4-2) IS54185 (4-1) CS 3030 (4-0)Qatr Software Design Comm Systems U: Decision Support Operating Systems

Digital signals and SystemsSystems

5 th IS4300 (4-0) E0 3750 (4-0) IS 3502(4-0) CM 3112 (4-0)Quarter Software Engineering Communications Computer Networks: Navy

and Management System Analysis Wide Areat / L0cal Area TelecommunicationsSystems

6 tb S 53252 (4-0) IS 4502 (4-0) is 0810 (0-0)Joint and Maritime Telecomminsicaaions Thesis Research for

Qurtr. .. ... ... .. .. Strategic Planning Network Information Technology. .. .. .manageme," Studeuts

7th CS 4601(40 MN 3307 (4-0) is 0810 (0-0)Quate Computer Securnty ADP Acquisition Thesis Research for

Information Tedumology-aaemn Studnt

8th~i 14 240)50810 (0-0) Is50810 (0-0)Quater InfnnaionSysemsThesis Research for Thetsi Research for

Management Information Technology Information Technology... .. management Students Management Students

26

Table 5: MATRIX WITH IS 3171, MN 3154 AND MN 4125 ELIMINATED ANDWITHOUT CS 3030 SPLIT

1 At IS 200 (3-1) CS 2970 (4-1) OS 3101 (4-1) MN 2155 (4-0)Quarter InidctiontoConiputer Strucaiied Progrmmniing Statistical Analysis for Accounting for

Management with Ad& Management Management

2 ud CS 3030 (4-0) MA 1248 (4-1) OS 3004 (5-0) MN 3105 (4-0)Quarter Computer Architecture Selected Topics in Operations Research for Organizationl and

and Operating Systems Applied Mathematics Computer Systems ManagementManagers

*3 rd IS 4200 (4-0) EO 2710 (4-2) IS 4183 (4-1) IS 3170 (4-0)Quarter Syskm Analysis and Comm Systems 1: Applications of Economic Evaluation of

Design Analog Signals and Databuse Management information Systems ISystems Systems

4 th IS 3020 (3-2)) EO 2750 (4-2) IS 4185 (4-1) MN 3307 (4-0)Quarter Software Design Comm Systems UI: Decision Support APP Acquisition

Digital Signals and SystemsSystems

5 th IS 4300 (4-0) EO 3750 (4-0) IS 3502 (4-0) CM 3112 (4-0)Quarter Software Engineering Communications Computer Networks: Navy

and Management System Analysis Wide Area / L=Wa Area TelecommunicationsSystems

6 th NS 3252 (4-0) IS 4502 (4-0) isO0S10(0-0)Quarter.........Joint and Maritime Telecommunications Thesis Research for

strategic Planning Network information TechnologyManagement Students

7 Vth 1bt ~ S4601(4-0) 1i ijIS08 10(0-0)Quarter Computer Security TesRearhfo

...... .. . . .Information TechnologyManagement Students

8 th IS 4182 (4-0) is 0310 (0-0) is 0810 (0-0)Quarter Informiation Systems Thesis Research for Thesis Research for

Management ...i.........Information Technology Information TechnologyManagement Students Management students

Recommendation 3: Establish an advanced computer security

course as an elective for those individuals desiring to gain expertise in

computer security. Academic objectives would include an understanding of:

* the fundamental models involved in multilevel security.

* how the fundamental models used in multilevel security areimplemented in the design of a secure computer system.

0the advancements and limitations of computer security

27

technology in the areas of multilevel databases, networks anddistributed systems.

"* the various roles encryption plays in the development of securenetwork protocols and remote access control.

"* the DoD requirements for trusted systems and the verification

process.

Recommendation 4: Establish a Disaster Recovery and Planning

course IS 4xxx, which would include:

"* current theoretical foundations for conducting risk analysis.

"* an introduction to automated assessment tools.

"* an introduction to current guidelines and directives.

"* analyses of case studies.

Recommendation 5: Establish a computer security laboratory,

which would allow students to apply theoretical concepts. This lab would

include:

" quarantined systems which would allow students to experimentwith viruses without infecting other computers. Students couldmonitor the life cycle of viruses along with evaluating differentanti-virus software packages.

"* computers with communication software that would allowstudents to gain experience using both private and public keyencryption protocols and permit them to conduct fundamentalpenetration testing.

" TEMPEST equipment to monitor electronic emanations fromcomputer systems, peripherals, and conductors.

"* a Honeywell Information System Secure CommunicationsProcessor (SCOMP). The SCOMP is the only system to date thathas received an A l Orange Book security rating. The SCOMPwould provide students a vital research tool to explore multilevel

28

security issues.

various biometric devices that measure human bodycharacteristics used in computer security such as: retinal patterns,fingerprints, handprints, voice patterns, keystroke patterns, andsignature dynamics. The Naval Postgraduate School'sOperations Research Department has an excellent biometricslaboratory which could be used as an annex of the computersecurity laboratory.

Recommendation 5: Provide adequate funding in order to support a

quarterly seminar program in which visiting specialists from both government

and civilian sectors could address students and faculty concerning new

technologies, products and policies.

Recommendation 6: Restructure the IS 2000 Introduction to

Computer Management course to include high level coverage of material

delineated in the (ISC)2 certification format. This would expose new students

to the importance of computer security early in the curriculum and thereby

foster a basic understanding and appreciation of concepts that will be

introduced in subsequent courses.

Recommendation 7: Use the Appendices A, B, and C as a computer

security reference to help guide faculty members in modifying their courses to

include relevant computer security topics.

29

VIL CONCLUSION

DoD has become increasingly dependent upon storing its sensitive

information in electronic form and naturally there is a deep concern for the

integrity and privacy of this valuable information. In the recent aftermath of

numerous electronic break-ins, the DoD continues to express anxiety over

technically weak system administrators' inability to protect sensitive


A significant step in minimizing electronic intrusions and bolstering


in the latest technology and administrative controls available to enhance

computer security. T"js ,an be accomplished by modifying the Information

Technology Management (370) Curriculum at the Naval Postgraduate School

to adhere to the proposed recommendations.

In order to further enhance the Information Technology Management

(370) Curriculum at the Naval Postgraduate School, and strengthen the

graduate's knowledge of computer security, it is imperative that the 370

Curriculum be revised to meet the needs of DoD in this rapidly changing

technology.

30

APPENDIX A

Table 6: Information Systems Courses

1. Overview

A. Development of a Security Program --- T III I

1. Reason for a organizational security management policy

a. Objectives


2. Security plan "= 1 1E IIII

3. Training

b. Policies

1. Written and communicated

2. Board of directors responsibility

3. DPMA model policy [U " _..

c. Connectivity, organizational structure, and securityT-II

1. Connectivity definedIII ll l

2. Effect on organizational structure

3. Security considerations

d. Plans

1. Human resource management

2. Access control I l ll Ill

3. Datacontrol

31


4. Labeling

5. Contingency plan

6. Legal responsibilities

e. Responsibilities

1. Board of Directors

2. Board of Directors & senior management

3. Middle management

4. Users

B. Risk Analysis

1. Reason l7 9

2. Typical contents

3. Main purposes

C. Contingency Planning

1. Defined

2. Backup

3. Critical elements

D. Legal Issues for Managers

1. Licenses

2. Fraud/misuse

32


4. Copyright

5. Trade secretsU I I6. Employee agreements I I I N I T I I

E. System Validation & Verification (Accreditation)

1. Plan testing

2. Acceptance of responsibility

F. Information Systems Audit I I I I

II. Risk Management I II[ IIII1I

A. Asset Identification and Valuation

1. Processing valuation U I Il1l

2. Risk management team T7 I I

3. Classification of assets

4. Subclassification of assetsII II

a. People. skills, andprocdures I I l

b. Physical and environmental' IIU lll

c. Communications IIn IU IIII

d. Hardware

e. Software

f. Data and information

33


g. Goodwill

5. Determining values for assets

a. Acquired and intrinsic values

b. Purpose of assigning value to assets

c. How to measure assets values

d. Criticality and sensitivity

1. Criticality: business impact. revenue losses

embarrassment, legal problems

2. Sensitivity: privacy, trade secrets, planning

information, financial data

3. Sources MIS. users, senior management

4. Levels: military, national security, commercial

e. Asset valuation: standard accounting I Ul

f. Asset valuation: replacement value

g. Asset valuation: loss of availability

h. Asset valuation: estimating methods

6. Use of asset analysis results

a. Limitations

1. Lack of data

34


oThreats vulnerabilities ad exposures defined

2. Methodologies for threat assessment

a. Properties of threats

b. Properties of assets

c. Combining properties: the cost exposure matrix

3. Probability concepts

a. Definitions

b. Tables of probability values

c. Fuzzy metrics

d. Expected values

e. Worst case

f. Automated packages

4. Sources of threat information

a. Vulnerability analysis

b. Scenarios

c. Past history

d. Outside Sources

5. Calculating exposures

35


M. Safeguards: Security and Control Measures IT 11ll ITH

A. Overview of Safeguards II II I

1. Common sensegie I l l iil

2. Types of controls: prevention, detections reaction

a. Basic purpose of controls

b. Prevention as

c. Detection analysis

d. Containment

e. Reaction or correction

3. Design strategies T

a. CountermeasuresIII

b. Countermeasure selection --- T

c. Sensitivity analysisI1 1I' I

d. Decision analysis 1 1 Te. Goal-seeking heuristics TT IIa -F

f. Risk perception and communication - -7

4. Components of EDP security

a. Administrative and organizational controls

b. Policies

36


d. Physical and environmental security T N -T- i i

e. Computer operations

f. Contingency planning

5. Components of EDP security: technical

a. Communication and electronic exposures

b. Hardware

c. Encryption

d. Software

B. Organizational and Administrative Controls

1. Trade secrets, employee agreements, conflict of interest

2. Security policy

a. Intent (related to sensitivity)

b. Access to and distribution of information I II l lIIl

c. Laws

d. Regulations

e. Company policy

f. Mandatory and discretionary security - Tl l

g. Accountability: identification, authentication, audit

3. Responsibility areas, System Security Officer

37


a. Basi role U I l l I

b. Duties l l l l

c. Training and skills for a System Security Office

4. Employee training

a. Orientation

b. Skills

5. Telecommuting

C. Personnel Consideration

1. Human motives for criminal action [] 11 1

2. Employee selection

a. Application forms

b. Permissions for investigations

c. Security clearance and citizenship

3. Professional certificates

4. Working environment

a Vacations and job rotation

b. Employee-management relations

c. Career path planning

d. Remuneration

38


6. Prosecution for adverse actions U l l l l

7. Employee separation

D. Physical and Environmental Security

1. Site location and construction

a. Computer room considerations

b. Special microcomputer problems

2. Physical access

a. Access vs. security

b. Rooms, windows, doors, keys

3. Power

a. Spikes, surges. brownouts U l

b. Costs of prevention/protection equipment

4. Air-conditioning

5. Water exposures and problems

6. Fire prevention

7. Fire protection

8. Tape and media libraries; retention policies

9. Waste disposal

10. Off-site storage

39


11. Document libraries and controlsI l I I

E. Computer Operations

1. Organization of computer operations

a. Mainframes

b. Minicomputers

c. Microcomputers/office automation

2. Separation of duties

3. Controls at interfaces

4. Media controls

5. Backup procedures

6. People controls

F. Contingency Planning

1. Backups and procedures

a. Data i m l l HL

b. Manuals and documentation

c. Equipment

1. Air conditioning

2. Uninterruptible power supply

2. Catastrophe planning

40


a. Stages in adisaster l l l l

b. Planning and response teamsl llU l l

c. Testing planl llU l l

d. Communication of plan Im lm l l

3. Security and controls in off-site backup and facilities IT

4. Business and DP insurance

5. Software escrow arrangements

IV. Safeguards: Security and Control Measures, Technical

A. Hackers and reality: Perception of Risk

B. Communications and Electronic Exposures IIIII1 IIIII

1. Locus of attack I7 I1111I1I1

a. Terminals l I I I IW

b. Hosts IIIU l

c. Front-end processors

d. Gateways

e. Links~l lI

f. Switches (multiplexors, packet switching, etc.) llI l l[

g. Special problems with intelligent workstations -- T In l I' I I

2. Types of attack

a. Passive: disclosure; traffic analysis, add/remove nodes

41


b. Active: modification; insertion: deletion, replay 1)111T I m I H

3. Electronic

a. Incoming: interruptions: static, FRI: EMP

b. Outgoing: leakage

c. Solutions: shielding

4. Communications

a. Value-added communications

b. exposures incoming: noise and interference

c. Exposures outgoing: interception, replacement IIIIII I M

d. Solution: physical measures

e. Solutions: encryption

f. ISO OSI communications standards

5. Network design

a. Design considerations

1. Integration of countermeasures into network

design: cryptographic checksum: time stamp;

Bell/LaPadula model

2. Integration of countermeasures into protocol layers:

link level encryption: end-to-end encryption

42


Pb. PAssumraonce ----- 4--

1. Concept of trust

2. Degrees of trustworthiness H IF T3. Trusted network base U I

4. Testing i 1 1 1 1

5. Formal specification I IlI ll I I

6. Formal verification

C. Encryption

1. Definition (plaintext. ciphertext: encryption/decryption)

2. Public key and private key

3. Key distribution

4. Link level, end-to-end

5. Block mode. cipher block chaining, stream ciphers

(synchronous and self-synchronous)

6. DES. RSA

7. Cryptanalysis and strength of ciphers (theoretically secure,

computationally secure)

8. Advantages and disadvantages

D. Software and Operating System Controls

1. Secure operating systems

43


a. Hstory

b. Concepts: capabilities. reference validations

1. Secure kernels

2. Reference validations and capabilities

c. Present guidelines and standards, trusted computer base

d. Design principles fro secure systems

1. Least privilege

2. Open design

3. Fail-safe defaults

4. Economy of mechanisms

5. Naturalness (human factors)

6. Continuous protection

e. Common penetration methods and countermeasures

1. Trojan horse; virus: worm; salami: piggyback:

deception; human compromise; etc.

2. Controls on changes; audit trails: program library;

code comparison; checksums and encryption;

vaccines and antiviral agents; access control; etc.

2. Access control I

44


1. Subjects and objects 111111TI- N.1

2. Access privileges

3. Granting/revoking of privileges

4. Access control lists UT5. Capabilities, descriptors

6. Supervisor states, rings, domains

b. Non-discretionary access control

1. Labels on subjects, objects

2. Rules for reading, writing

3. Software Controls: Development

a. The real problem: bugs

b. Software engineering principles: layering, modularity

c. Structured methods

d. Formal specification and verification

e. Program library/librarian

f. Data dictionary as acontrol {_772 Bg. Conversion and implementation il {

4. Software controls: Maintenance l l l i l

a. Separation of duties

45


b. Testing controls IU IIIIl•U

c. Change control

5. Ass-rance

a. Integrity Tb. Testing

c. Specification/verification

d. Facility management

e. Disaster/contingency

f. Compliance/degree of trust

E. Database systems security II7 l

1. Overview

a. Review of basic concepts of information protection

b. Role of information protection in database systems

2. Threats V II I [

a. Direct disclosure of data

b. Modification of data/tampering with data

c. Inference

d. Aggregation Ill I I a ! I

e. Trojan horse - I 1 l'l !11

46


3. Policy/mechanism T IIIIiIII

a. Policy versus mechanism -7II 1IIl

b. Access controls 1 1 I1I111I

1. Access right and privileges

2. Access control policies

3. Granularity

4. Labels

5. Access control mechanisms

c. Inference controls

d. Integrity controlsI I I I I I

1. Integrity policy

2. Integrity mechanisms ]Il

e. Accountability controls

1. Identification and authentication

2. Audit

4. Design issues

a. Protection Approaches

I. Trusted kernel

2. Trusted filter

47


M K I N~ ~~~ ~~ E li & W O M R 11q~" ; ýI "

3. Encryption

b. Performance

c. Storage

d. Access control vs. integrity

e. Assurance

V. Legal Environment and Professionalism

A. Law and legislation T

l. The underlying problem

a. Theft, copying software, privacy

b. Fraud

c. Physical abuse

d. Mfisuse of information

e. Sabotage

2. Laws as tools for computer security

a. Privacy laws and legislation

b. Intellectual property laws

1. Copyright law

2. Trade secret law

3. Patent law I I I I

48


c. Federal laws (esp. Computer Security Act 1987) 1 1lUlii l Tl

d. State statutes I L LL

e. DPMA Model Computer Crime Bill - II I U Illl

f. Computer crime legislation in other countries I I I I I ll

3. Legislation as legal options to control computer crime

a. License agreements (consumer license agreements) I

b. permanent license agreements I III-la llll

c. Intellectual property rights

d. Employee non-disclosure considerations

e. Contracts

1. Software development contracts

2. Legal aspects of software purchasing

3. Leasing contracts

f. Warranties for software and hardware

4. Control of strategic materials

5. Fraud and crime prevention and detection

6. Investigation; evidentiary trial - m I N I T

B. Ethics and professionalism

1. Ethical decision-making

49


2. Professional societies T 11l111

a. British Computer Society 1 7I LU II

b. North America: DPMA and ICCP

c. Canada: CIPS and DPMA

1. CIPS

2. DPMA Canada

d. Computer Professionals for Social Responsibility

e. EDP Auditors Foundation

3. National Computer Security Center

4. National Bureau of Standards

5. Certificate in Data Processing(CPC): Certified Information

Systems Auditor (CISA)

VI. CICA Computer Control Guidelines

A. Accounting and auditing

1. Computer Control Guidelines

a. Responsibility for Control

b. Information Systems Development and Acquisition

c. Information Systems Processing

d. Segregation of Incompatible Functions and Controls

50


a. Security review objectives II ll l

b. Specific security controlsIII l l l

c. Security review process l lll l

d. Evidence accumulation

e. Evaluation of test results 0 lll;; llll

e. Communication of control weaknesses

5'

APPENDIX BTable 7: Computer Science Courses

A. Development of a Security Program TTT


a. Objectives Ill


2. Security plan

3. Training

b. Policies Ill1. Written and communicated I 1 1

2. Board of directors responsibility ] ]

3. DPMA model policy

c. Connectivity, organizational structure, and security

1. Connectivity defined



d. Plans III

1. Human resource management

2. Access control

3. Data control

52

Table 7: Computer Science Courses

4. Labeling

5. Contingency plan

6. Legal responsibilities

e. Respo~nsihilities T

I. Board ot Directors

2. Board of Directors & senior management I

3. Middle mnanagement III4. Users 7 it

B. Risk Analysis III

I. Reson

2. Tvpic.a contents

3. Main purposes

C. Contingency Planning - ]

1. Defined

2. Backup


D. Legtl Issues for Managers

I. Licenses

2. Fraud/misuse

53


3. Privacy M

4. Copyright

5. Trade secrets I [

6. Employee agreements I I

E. System Validation & Verification (Accreditation) Ill

1. Plan testing II IM


F. Information Systems Audit T7

U. Risk Management


1. Processing valuation

2. Risk management team


4. Subclassification of assets

a. People, skills, and procedures

h. Physical and environmental I Alt

c. Communications

d. HardwareI A

e. Software


54


g. Goodwill

5. Determining values •or ••ssets T

a. Acquired and intrinsic vdues

h. Purpose of assigning value to assets

c. How to measure assets values

d. Criticality and sensitivity I

1. Criticality: business impact. revenue losses

embarwassmnent, legal problems T

2. Sensitivity: privacy. trade secrets. planning -

information. financial data

3. Sources MIS. users, senior management

4. Levels: military, national security, commercial

e. Asset valuation: standard accounting

f. Asset valuation: replacement value


h. Asset valuation: estimating methods


a. Limitations

1. Lack of data

55


2. Interpretation

B. Threat and Exposure Assessment - I

1. Threats. vulnerabilities. and exposures defined


a. Properties of threats


c. Combining properties: the cost exposure matrix


a. Definitions

b. Tables of probability values

c. Fuzzy metrics I J N

d. Expected values

e. Worst case




b. Scenarios

c. Past history

d. Outside Sources


56


[II. Safeguards: Security and Control Measures

A. Overview of Safeguards _ T

1. Common sense 1

2. Types of controls: prevention. detection, reaction

a. Basic purpose of controls I

h. Prevention 0

c. Detection

d. Containment

e. Reaction or correction

3. Design strategies

a. Countermeasures

b. Countermeasure selection

c. Sensitivity analysis 7 7

d. Decision analysis

e. Goal-seeking heuristics _ •

f. Risk perception and communication

4. Components of EDP security _ I

a. Administrative and organizational controls

b. Policies

57


c. Personnel

d. Physical and environmental security [ [

e. Computer operations 7 1 1

f. Contingency planning III5. Components of EDP security: technical


b. Hardware

c. Encryption

d. Software

B. Organizational and Administrative Controls

1. Trade secrets, employee agreements, conflict of interest

2. Security policy


b. Access to and distribution of information

c. Laws

d. Regulations

e. Company policy T I1f. Mandatory and discretionary security I -

g. Accountability: identification, authentication, audit

3. Responsibility areas, System Security Officer

58


a. Basic role I I Ib. Duties I I I

c. Training and skills for .a System Security Office -__LL4. Employee training [[

a. Orientation

b. Skills

5. Telecommuting -__T


i. Human motives for criminal action

2. Employee selection I I I

a. Application torms 7 _T



3. Professional certificates I 1 1

4. Working environment - [

a. Vacations and job rotation

b. Employee-management relations [[

c. Career path planning I

d. Remuneration

59


6. Prosecution for adverse actions I 1 1

7. Employee separation TTI

D. Physical and Environmental Security I I I

I. Site location and construction T II

a. Computer room considerations I I

b. Special microcomputer problems III

2 Physical access

a. Access vs. security .... J

b. Rooms, windows, doors, keys

3. Power

a. Spikes. surges, brownouts T

b. Costs of prevention/protection equipment

4. Air-conditioning

5. Water exposures and problems

6. Fire prevention

7. Fre protection

8. Tape and media libraries; retention policies

9. Waste disposal


60


11. Document libraries •nd controls I L

E. Computer Operations I [I

I. Orgamization of computer operations I I I

a. Mainfranes

h. Minicomputers-

c. Microcomputers/office automation T Tl

2. Separation of duties I1I3. Controls at interfaces -F

4. Media controlsI11

5. Backup procedures II IR

6. People controls, II

F. Contingency Planning III

1. Backups and procedures II

a. Datat

h. Manulds and documentation

c. Equipment III

1. Air conditioning I11

2. Uninterruptible power supply T


61


a. Stages in a disaster

b. Planning and response teams

c. Testing plan

d. Communication of plan

3. Security and controls in off-site backup and facilities

4. Business and DP insurance

5. Software escrow arrangements T


A. Hackers and reality: Perception of Risk

B. Communications and Electronic Exposures

1. Locus of attack III

a. Terminals

b. Hosts TTFc. Front-end processors II

d. Gateways T ll

e. Links I

f. Switches (multiplexors, packet switching, etc.) T

g. Special problems with intelligent workstations I 1 1

2. Types of attack T

a. Passive: disclosure: traffic analysis: add/remove nodes

62


h. Active: modification: insertion: deletion: replay

3. Electronic I I I

a. Incoming: interruptions: static: FRI: EMP I

h. Outgoing: leakage I


4. CommunicationsI Ia.Value-added communicationsI I

b. exposures incoming: noise and interference [ I

c. Exposures outgoing: interception, replacement -7 11,

d. Solution: physical measures IIIe. Solutions: encryption III


5. Network design

a. Design considerations III

1. Integration of countermeasures into network

design: cryptographic checksum: time stamp;

Bell/LaPadula model

2. Integration of countermeasures into protocol layers:


63


b. Assuranck:

1. Concept of trust TTF2. Degrees of trustworthiness III

3. Trusted network base II

4. Testing•I

5. Formal specification


C. Encrypti, III

1. Definition kplaintext, ciphertext: encryption/decryption)

2. Public key and private key I I V

3. Key distribution


5. Block mode. cipher block chaining, stream ciphers


6. DES.RSA

7. Cryptanalysis and strength of ciphers (theoretically secure

computationallv secure)

X. Advantages and disadvantages


1. Secure operating systems T II

64


a. History

b. Concepts: capabilities. reference validations [

1. Secure kernels

2. Reference validations and capabilities


d. Design principles fro secure systems _TT

1. Least privilege

2. Open design





e. Common penetration methods and countermeasures III

1. Trojan horse; virus: worm: salami: piggyback: M E

deception; human compromise: etc. III

2. Controls on changes: audit trails: program library;

code comparison: checksums and encryption:.

vaccines and antiviral agents: access control: etc.

2. Access control III

65


a. Discretionary access control

1. Subjects and objects



4. Access control lists lll

5. Capabilities. descriptors

6. Supervisor states, rings, domains T WO.,b. Non -discretion ary access control I

1. Labels on subjects. objects



a. The real problem: bugs

b. Software engineering principles: layering, modularity


d. Formal specification and verification

e. Program library/librarian

f. Data dictionary as a control

g. Conversion and implementation

4. Software controls: Maintenance

a. Separation of duties

66


b. Testing controls

c. Change control A F

5. Assurance I

a. Integrity /

h. Testing I

c. Specification/verification elVT•

d. Facility management III

e. Disaster/contingency

f. Compliance/degree of trustI I

E. Database systems security III

1. Overview

a. Review of basic concepts of information protection [


2. Threats I

a. Direct disclosure of data I•


c. Inference

d. Aggregation

e. Trojan horse

67


3. Policy/mechanism

a. Policy versus mechanism

b. Access controls

1. Access right and privileges

2. Access control policies

3. Granularity

4. Labels I 1 1

5. Access control mechanisms Tc. Inference controls

d. Integrity controls TI1. Integrity policy

2. Integrity mechanisms [ i

e. Accountability controls

1. Identification and authentication TT

2. Audit

4. Design issues III

a. Protection Approaches

1. Trusted kernel

2. Trusted filter

68


3. Encryption I

b. Performance I

c. Storage III

d. Access control vs. integrity Ii

e. Assurance

V. Legal Environment and Professionalism

A. Law and legislation

1. The underlying problem

a. Theft, copying software, privacy

b. Fraud

c. Physical abuse

d. Misuse of information

e. Sabotage

2. Laws as tools for computer security


b. Intellectual property laws

1. Copyright law

2. Trade secret law

3. Patent law II M

69


4. Trademark law

c. Federal laws (esp. Computer Security Act 1987) T IR

d. State statutes III

e. DPMA Model Computer Crime Bill

f. Computer crime legislation in other countries [


a. License agreements (consumer license agreements)

b. permanent license agreements


d. Employee non-disclosure considerations 1 1 1

e. Contracts

I. Software development contracts

2. Legal aspects of software purchasing T

3. Leasing contracts Ill

f. Warranties for software and hardware

4. Control of strategic materials Ill5. Fraud . -'me prevention and detection 7 16. lnvestigauon: evidentiary trial [

B. Ethics and professionalism 11

I. Ethical dccision-making

70


2. Professional societies T

a. British Computer Society


c. Canada. CIPS and DPMA

1. CIPS

2. DPMA Canada


e. EDP Auditors Foundation



5. Certificate in Data Processing(CPC): Certified Information I I

Systems Auditor(CISA)

VI. CICA Computer Control Guidelines .L _

A. Accounting and auditing

1. Computer Control Guidelines


b. Information Systems Development and Acquisition T I


d. Segregation of Incompatible Functions and Controls -7 T

71


Me. Apoplication ControlsM E

2. Information systems audit

a. Sec urity review objectives

b. Specific security controls

c. Security review process


e. Evaluation of test results

f. Communication of control weaknesses 777

72

APPENDIX C

Table 8: Electro-Optical and Communication Courses

I. Overview

A. Development of a Security Program


a. Objectives


2. Security plan

3. Training

b. Policies

1. Written and communicated

2. Board of directors responsibility

3. DPMA model policy I I

c. Connectivity, organizational structure, and security

1. Connectivity defined



d. Plans

1. Human resource management I I I

2. Access control III

3. Data control

73


4. Labeling

5. Contingency plan

6. Legal responsibilities LL

e. Responsibilities [ T

1. Board of Directors

2. Board of Directors & senior management T I

3. Middle management

4. Users TT

B. Risk Analysis

1. Reason

2. Typical contents

3. Main purposes

C. Contingency Planning

i. Defined I

2. Backup


D. Legal Issues for Managers

I. Licenses

2. Fraud/misuse Ill

74


3. Privacy

4. Copyright

5. Trade secrets

6. Employee agreements

E. System Validation & Verification (Accreditation)

1. Plan testing III


F. Information Systems Audit [ [

II. Risk Management


I. Processing valuation

2. Risk management team I I [


4. Subclassification of assets

a. People. skills, and procedures

b. Physical and environmental

c. Communications

d. Hardware III

e. Software


75


g. Goodwill TI5. Determining values forassets [ [

a. Acquired and intrinsic values

b. Purpose of assiening value to assets j Y -

c. 1ow to measure assets values

d. Criticality and sensitivity II

I. Criticality: business impact, revenue losses

emb.u .sment, legal problems I I

2. Sensitivity: privacy, trade secrets, planning

information. financial data [

3. Sources MIS, users, senior management

4. Levels: military, national security, commercial [

e. Asset valuation: standard accounting

f. Asset valu; ,placement value


h. Asset valuation: estimating methods [ [


a. Limitations III

I. Lack of data

76


2. Interpretation

B. Threat and Exposure Assessment

I. Threats. vulnerabilities. and exposures defined


a. Properties of threats T177


c. Combining properties: the cost exposure matrix TT


a. Definitions Tb. Tables of probability values

c. Fuzzy metrics III

d. Expected values

e. Worst case II




b. Scenarios

c. Past history

d. Outside Sources


77


III. Safeguards: Security and Control Measures

A. Overview of Safeguards

1. Common sense

2. Types of controls: prevention, detection, reaction F T

a. Basic purpose of controls

b. Prevention

c. Detection

d. " .unment A Ie. Reaction or correction

3. Design strategies

a. Countermeasures

b. Countek measure selection E l

c. Sensitivity analysis

d. Decision analysis

e. Goal-seeking heuristics

f. Risk perception and communication

4. Components of EDP security

a. Administrative and organizational controls F

b. Policies

79


c. Personnel

d. Physical and environmental security

e. Computer operations

f. Contingency planning

5. Components of EDP security: technical


b. Hardware

c. Encrytion H

d. Software

B. Organizational and Administrative Controls [[

1. Trade secrets, employee agreements. conflict of interest ] ]

2. Security policy


b. Access to and distribution of information

c. Laws

d. Regulations

e. Company policy

f. Mandatory and discretionary security

g. Accountability: identification. authentication. audit I73. Responsibility areas. System Security Officer

79


a. Basic role III

b. Duties

c. Training and skills for a System Security Office

4. Employee training

a. Orientation

b. Skills IFI

5. Telecommuting


1. Human motives for criminal action

2. Employee selection

a. Application forms



3. Professional certificates [ ]

4. Working environment

a. Vacations and job rotation [ [

h. Employee-management relations

c. Career path planning

d. Remuneration

80


5. Access rights and privileges

6. Prosecution for adverse actions ]

7. Employee separation III

D. Physical and Environmental Security

1. Site location and construction

a. Computer room considerations

b. Special microcomputer problems III

2. Physical access

a. Access vs. security I

b. Rooms. windows, doors, keys

3. Power III

a. Spikes, surges, brownouts

b. Costs of prevention/protection equipment I I I

4. Air-conditioning

5. Water exposures and problems [ ]

6. Fire prevention III

7. Fire protection

8. Tape and media libraries: retention policies I I I

9. Waste disposal


91


11. Document libraries and controls ][

E. Computer Operations

I. Organization of computer operations

a. Mainframes III

b. Minicomputers

c. Microcomputers/office automation

2. Separation of duties

3. Controls at interfaces

4. Media controls

5. Backup procedures

6. People controls

F. Contingency Planning

I. Backups and procedures T

a. Data

b. Manuals and documentation

c. Equipment

1. Air conditioning

2. Uninterruptible power supply


82


a. Stages in a disaster

b. Planning and response teams I

c. Testing plan IT

d. Communication of plan I 1

3. Security and controls in off-site backup and facilities I [

4. Business and DP insurnce

5. Software escrow arrangements III


A. Hackers and reality: Perception of Risk IllB. Communications and Electronic Exposures

1. Locus of attack

a. Terminals

b. Hosts

c. Front-end processors 1

d. Gatf ways *1

e. Links

f. Switches (multiplexors. packet switching, etc.)

g. Special problems with intelligent workstations

2. Types of attack

a. Passive: disclosure: traffic analysis: add/remove nodes

83


b. Active: modification; insertion: deletion: replay

3. Electronic

a. Incoming: interruptions: static: FRI: EMP

b. Outgoing: leakage


4. Communications

a. Value-added communications

b. exposures incoming: noise and interference

c. Exposures outgoing: interception, replacement U T

d. Solution: physical measures

e. Solutions: encryption


5. Network design

a. Desien considerations I

1. Integrtion of countermeasursinto network II

design: cryptographic checksum: time stamp:

Bell/LaPadula model

2. 1 of countermeasures into protocol layers:


84


b. Assurance

1. Concept of trust

2. Degrees of trustworthiness [ [

3. Trusted network base

4. Testing

5. Formal specification


C. Encryption III

1. Definition (plaintext, ciphertext: encryption/decryption)

2. Public key and private key

3. Key distribution


5. Block mode, cipher block chaining, stream ciphers


6. DES. RSA El

7. Cryptanalysis and strength of cipher (theoretically secure

computationally secure)

8. Advantages and disadvantages


1. Secure operating systems

85


a. History

b. Concepts: capabilities, reference validations

1. Secure kernels

2. Reference vdidations and capabilities


d. Design principles fro secure systems F

I. Least privilege

2. Open design





e. Common penetration methods and countermeasures

1. Trojan horse; virus: worm: salami; piggyback;

deception: human compromise, etc.

2. Controls on changes; audit trails: program library:

code comparison: checksums and encryption: FTTvaccines and antiviral agents, access control; etc.

2. Access control

86


a. Discretionary access control

1. Subjects and objects T F I



4. Access control lists

5. Capabilities. descriptors

6. Supervisor states, rings. domains

b. Non-discretionary access control

1. Labels on subjects. objects



a. The real problem: bugs I

b. Software engineering principles: layering. modularity


d. Formal specification and verification [[

e. Program library/librarianI I

f. Data dictionary as a control

g. Conversion and implementation

4. Software controls: Maintenance

a. Separation of duties I77

87


b. Testing controls

c. Chance control

5. Assurance

a. Integrity

b. Testing

c. Specification/verification ili

d. Facility man-trement III

e. Disaster/contingency III

f. Compliance/degree of trust I I

E. Database systems security ]

1. Overview III

a. Review of basic concepts of information protection I I _


2. Threats FTa. Direct disclosure of data


c. Inference

d. Aggregation

e. Trojan horse

88


f. Coven disclosure of data

3. Policy/mechanism -ll

a. Policy versus mechanism III

b. Access controls

1. Access right and privileges I I

2. Access control policies I

3. Granulafity I !

4. Labels

5. Access control mechanisms III

c. Inference controls

d. Integrity controls III

I. Integrity policy III2. Integrity mechanisms III

e. Accountabiity controls

1. Identification and authentication

2. Audit

4. Design issues Illa. Protection Approaches

1. Trusted kernel Ill

2. Trusted filter -]T ]

89


3. Encryption TT F

h. Performance

c. Storage

d. Access control vs. integrity [ [

e. Assurance

V. Legal Environment and Professionalism I [ I

A. Law and legislation II

1. The underlying problem

a. Theft. copying software. privacy

h. Fraud

c. Physical abuse

d. Misuse of information

e. Sabotage

2. Laws as tools for computer security - I


b. Intellectual property laws 7

1. Copyright law

2. Trade secret law

3. Patent law

90


4. Trademark law

c. Federal laws (esp. Computer Security Act 1987)

d. State statutes

e. DPMA Model Computer Crime Bill

f. Computer crime legislation in other countries


a. License agreements (consumer license agreements)

b. permanent license agreements


d. Employee non-disclosure considerations

e. Contracts

1. Software development contracts

2. Legal aspects of software purchasing

3. Leasing contractsII

f. Warranties for software and hardware II

4. Control of strategic materials ] I ]

5. Fraud and crime prevention and detection jfj

6. Investigation: evidentiary trial

B. Ethics and professionalism

1. Ethical decision-making

91


2. Professional societies

a. British Computer Society I I


c. Canada CIPS and DPMA T

I. CIPS

2. DPMA Canada III


e. EDP Auditors Foundation III



5. Certificate in Data Processing(CPC): Certified Information

Systems Auditor(CISA)

VI. CICA Computer Control Guidelines

A. Accounting and auditing 7 ll1. Computer Control Guidelines


b. Information Systems Development and Acquisition


d. Segregation of Incompatible Functions and Controls I I

92


e. Application Controls

2. Information systems audit

a. Security review objectives

b. Specific security controls

c. Security review process III


e. Evaluation of test results T

f. Communication of control weaknesses

93

LIST OF REFERENCES

[ Ref. 1] Stoll, C. The Cuckoo's Egg, Doubleday, 1989.

[ Ref. 2] Computer Science Department, Purdue University, Technical

Report Number CSD-TR-823, The Internet Worm Program:

An Analysis, by E. H. Spafford, pp. 1-2, 1988.

[ Ref. 3] U.S. General Accounting Office Report, GAO / T-IMTEC-

92-5, Hackers Penetrate DoD Computer Systems, by J. L.

Brock, pp. 2-3,1991.

[Ref. 4] Baker, Richard H., Computer Security Handbook, 2nd

Edition, pp. xvii-xviii, TAB Professional and Reference

Books, 1991.

[ Ref. 5] Denning, Peter J., ed., Computers Under Attack: Intruders,

Worms, and Viruses, p. xiv, ACM Press/Addison-Weseley,

1990.

[ Ref. 6] Russell, D., and Gangemi Sr., G. T., Computer Security

Basics, pp. 8-11, O'Reilly and Associates, Inc., 1991.

[ Ref. 7] Ibid.

[Ref. 8] Ibid., 17.

[Ref. 9] Ibid., 13.

[Ref. 10] Denning, iii.

[Ref. 11] Ibid., 456.

[Ref. 12] Ibid., 459-460.

[Ref. 13 ] Brock, 5.

94

[Ref. 14 Interview between J. Zucker, Lieutenant Commander, USN,

Moffett Naval Air Station, Mountain View, CA, and the

author, 25 November, 1991.

[Ref. 15 Interview between D. Hutton, ADP Manager, Naval

Postgraduate School, Monterey, CA, and the author, 15

November, 1991.

[Ref. 16] Russell, 283.

[Ref. 17] Ibid., 104.

[Ref. 18] Ibid.

[Ref. 19] Ibid., 112.

[Ref. 20] Fites, P.E., "Professional Certification for Information

Systems Security Practitioners", Computer Security Journal,

v. V, n. 2, pp. 75-88., Computer Security Institute, 1990.

[Ref. 21] Ibid., 76.

[Ref. 22] Ibid., 77.

95

INITIAL DISTRIBUTION LIST

Defense Technical Information Center 2Cameron StationAlexandria, VA 22304-6145

Dudley Knox Library 2Code 52Naval Postgraduate SchoolMonterey, CA 93943-5002

Chairman, Code 37 2Administrative Sciences DepartmentNaval Postgraduate SchoolMonterey, CA 93943

Administrative Sciences Department 1Code AS/BdNaval Postgraduate SchoolMonterey, CA 93943

Computer Science DepartmentCode CS/SpNaval Postgraduate SchoolMonterey, CA 93943

CommanderNaval Computer and Telecommunications Command4401 Massachusetts Ave., N.W.Washington, D.C. 20394-5000

Director of Space and C4 System Requirements N6(OP 094) 1Office of the Chief of Naval OperationsWashington, D.C. 20370-5000

96

CDR Debbie CampbellNational Computer Security Center NSA / C81 /APSXI9800 Savage Rd.,Ft. Meade, MD 20755-6000

Naval Information Systems Management CenterBldg. 166,Washington, D.C. 20374-5070

SPAWARCode 2241Crystal City 5CPK, 700Washington, D.C. 20363-5100

97

naval postgraduate school monterey, california · rinald wayne vughn -avail and ior dist special...

Documents